Edit tour

Windows Analysis Report
https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p

Overview

General Information

Sample URL:	https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems
Analysis ID:	1649704
Infos:

Detection

KnowBe4

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Yara detected KnowBe4 simulated phishing

AI detected suspicious Javascript

AI detected suspicious URL

Creates files inside the system directory

Deletes files inside the Windows folder

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12213766920877306329,2707875683570504114,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_KnowBe4	Yara detected KnowBe4 simulated phishing	Joe Security

Joe Sandbox Signatures

• Phishing
• Compliance
• Software Vulnerabilities
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected KnowBe4 simulated phishing

Source: Yara match

File source: 1.0.pages.csv, type: HTML

AI detected suspicious Javascript

Source: 0.0..script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://welsfargo.com-onlinebanking.com/Xdm5ISUlpb... This script exhibits high-risk behavior by redirecting the user to a suspicious and heavily obfuscated URL, which is a common tactic used in phishing and malware attacks. The obfuscated URL suggests an attempt to hide the true destination, which is likely a malicious website designed to steal user credentials or other sensitive information. This level of obfuscation and the lack of transparency around the destination URL are strong indicators of malicious intent, warranting a high-risk score.

AI detected suspicious URL

Source: https://welsfargo.com-onlinebanking.com

Joe Sandbox AI: The URL 'https://welsfargo.com-onlinebanking.com' appears to be a typosquatting attempt targeting the well-known financial institution Wells Fargo. The legitimate URL for Wells Fargo is 'https://www.wellsfargo.com'. The analyzed URL uses a visual character substitution by omitting the second 'l' in 'wells', resulting in 'wels'. Additionally, the structure of the URL includes a misleading subdomain 'com-onlinebanking', which could confuse users into thinking it is a legitimate online banking service of Wells Fargo. The use of 'com-onlinebanking.com' as a domain extension is designed to mimic a legitimate service, increasing the likelihood of user confusion. The high similarity score is due to the close resemblance to the legitimate brand name and the deceptive structural elements. The likelihood of this being a typosquatting attempt is very high, given the visual and structural similarities aimed at misleading users.

Source: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.12.212:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.249.203:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.72.100:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.91.212.60:443 -> 192.168.2.16:49721 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 23MB later: 40MB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 208.89.73.21
Source: unknown	TCP traffic detected without corresponding DNS query: 208.89.73.21
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.64.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.64.67
Source: unknown	TCP traffic detected without corresponding DNS query: 208.89.73.21

Source: global traffic	HTTP traffic detected: GET /Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214 HTTP/1.1Host: welsfargo.com-onlinebanking.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09 HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js HTTP/1.1Host: training.knowbe4.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /packs/js/vendor-954761ad0dceb106b971.js HTTP/1.1Host: training.knowbe4.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js HTTP/1.1Host: training.knowbe4.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /landing_pages/oops/styles.css HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /petite-vue HTTP/1.1Host: unpkg.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /petite-vue@0.4.1/dist/petite-vue.iife.js HTTP/1.1Host: unpkg.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: welsfargo.com-onlinebanking.com
Source: global traffic	DNS traffic detected: DNS query: secured-login.net
Source: global traffic	DNS traffic detected: DNS query: helpimg.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: training.knowbe4.com
Source: global traffic	DNS traffic detected: DNS query: unpkg.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.12.212:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.249.203:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.72.100:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.91.212.60:443 -> 192.168.2.16:49721 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir6288_1039117786

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6288_1039117786

Source: classification engine

Classification label: mal56.phis.win@23/8@14/131

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12213766920877306329,2707875683570504114,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12213766920877306329,2707875683570504114,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://training.knowbe4.com/packs/js/vendor-954761ad0dceb106b971.js	0%	Avira URL Cloud	safe
https://training.knowbe4.com/assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js	0%	Avira URL Cloud	safe
https://training.knowbe4.com/assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	52.217.12.212	true	false	high
www.google.com	142.250.72.100	true	false	high
training.knowbe4.com	52.85.61.102	true	false	high
secured-login.net	44.196.92.142	true	false	high
unpkg.com	104.17.249.203	true	false	high
landing.training.knowbe4.com	44.214.113.176	true	false	high
helpimg.s3.amazonaws.com	unknown	unknown	false	high
welsfargo.com-onlinebanking.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09	false		unknown
https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214	true		unknown
https://secured-login.net/favicon.ico	false		high
https://secured-login.net/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css	false		high
https://training.knowbe4.com/assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js	false	Avira URL Cloud: safe	unknown
https://training.knowbe4.com/packs/js/vendor-954761ad0dceb106b971.js	false	Avira URL Cloud: safe	unknown
https://helpimg.s3.amazonaws.com/landing_pages/oops/styles.css	false		high
https://unpkg.com/petite-vue	false		high
https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js	false		high
https://unpkg.com/petite-vue@0.4.1/dist/petite-vue.iife.js	false		high
https://training.knowbe4.com/assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.217.12.212	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
54.91.212.60	unknown	United States	14618	AMAZON-AESUS	false
142.251.179.84	unknown	United States	15169	GOOGLEUS	false
44.196.92.142	secured-login.net	United States	14618	AMAZON-AESUS	false
52.85.61.102	training.knowbe4.com	United States	16509	AMAZON-02US	false
44.214.113.176	landing.training.knowbe4.com	United States	14618	AMAZON-AESUS	false
142.251.40.163	unknown	United States	15169	GOOGLEUS	false
104.17.249.203	unpkg.com	United States	13335	CLOUDFLARENETUS	false
142.250.72.100	www.google.com	United States	15169	GOOGLEUS	false
142.251.35.163	unknown	United States	15169	GOOGLEUS	false
142.251.35.174	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.13

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1649704
Start date and time:	2025-03-27 00:56:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.phis.win@23/8@14/131

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.35.174, 142.251.35.163, 142.251.179.84
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214

Created / dropped Files

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65447)
Category:	downloaded
Size (bytes):	380848
Entropy (8bit):	5.202109831427653
Encrypted:	false
SSDEEP:
MD5:	67A0C4DBD69561F3226243034423F1ED
SHA1:	88C1B5C7EBBFA24D8196290206BF544F28EEB406
SHA-256:	74B9F1CFE7CAD31AE1C1901200890B76676E6D92AC817641F5EF9BFD552F2110
SHA-512:	D5326C46E2FC443AA0C75DB573B39957514BD025235ADB5F16797133394E1AFD0A6458B38DA8220BF7558333E8F2334532FBCC4CD9DD4DD5811AAC403B498542
Malicious:	false
Reputation:	unknown
URL:	https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js
Preview:	/! jQuery v3.7.1 \| (c) OpenJS Foundation and other contributors \| jquery.org/license /.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(ie,e){"use strict";var oe=[],r=Object.getPrototypeOf,ae=oe.slice,g=oe.flat?function(e){return oe.flat.call(e)}:function(e){return oe.concat.apply([],e)},s=oe.push,se=oe.indexOf,n={},i=n.toString,ue=n.hasOwnProperty,o=ue.toString,a=o.call(Object),le={},v=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},y=function(e){return null!=e&&e===e.window},C=ie.document,u={type:!0,src:!0,nonce:!0,noModule:!0};function m(e,t,n){var r,i,o=(n=n\|\|C).createElement("script");if(o.text=e,t)for(r in u)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.remove

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 text
Category:	downloaded
Size (bytes):	5649
Entropy (8bit):	5.250605215538956
Encrypted:	false
SSDEEP:
MD5:	B13B4F098D80AC49DCC6BED4E459D560
SHA1:	81FFB3DD594A82F9453D1C45DA812DFC008CAA65
SHA-256:	5FC2013E8D4F5A97667A0A5BFEF9A2E148363D89A46BE49F14CB2C60B1461CA9
SHA-512:	4FEAEA5336B3E1B7B1D26C5D576C655208955D4C7657B967D11A9D58A3086EB0D087DE53606E0AC4E0F3AEFD9993E616BD7B9B343AE23DEB20477BD7EFD75ECC
Malicious:	false
Reputation:	unknown
URL:	https://helpimg.s3.amazonaws.com/landing_pages/oops/styles.css
Preview:	:root {..--clr-neutral-100: #ffffff;..--clr-neutral-200: #f5f5f5;..--clr-neutral-300: #d5d5d5;..--clr-neutral-400: #ababab;..--clr-neutral-500: #707070;..--clr-neutral-600: #2c2c2c;.../* Padding /..--padding-xs: clamp(0.5rem, 1.5%, 0.75rem);..--padding-sm: clamp(1rem, 3%, 1.5rem);..--padding-md: clamp(1.5rem, 6%, 3rem);..--padding-lg: clamp(3rem, 12%, 6rem);.../ Margin /..--block-flow-xs: min(1rem, 2vh);..--block-flow-sm: min(2rem, 4vh);..--block-flow-md: min(4rem, 8vh);..--block-flow-lg: min(8rem, 16vh);.../ Font Sizes /.../ @link https://utopia.fyi/type/calculator?c=320,18,1.2,1240,20,1.25,5,2,&s=0.75\|0.5\|0.25,1.5\|2\|3\|4\|6,s-l&g=s,l,xl,12 /.../ Step -1: 15px . 12.003px /..--step--1: clamp(0.7502rem, 1.0027rem + -0.3258vi, 0.9375rem);../ Step 0: 18px . 16px /..--step-0: clamp(1rem, 1.1685rem + -0.2174vi, 1.125rem);../ Step 1: 21.6px . 21.328px /..--step-1: clamp(1.333rem, 1.3559rem + -0.0296vi, 1.35rem);../ Step 2: 25.92px . 28.4302px */..--step-2: clamp(1.62rem,

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (16900)
Category:	downloaded
Size (bytes):	16901
Entropy (8bit):	5.207509946311759
Encrypted:	false
SSDEEP:
MD5:	A7DB3244C9A6704A3159A38C82207F66
SHA1:	CC3B2BF9D2FCC718C86B1ED2AC7D9CD5BA12EF43
SHA-256:	774BB8E88B09936246A57F0DFED88A375258A8235B893561C96880411DABC4D5
SHA-512:	3197FFB1055735A329D122D6C8EDFA9C12FCCD54E8F22F579A4E79B3C6AE0163391E790429A3F680434309AAECCE1572941EA47DEE321AC080FEAADA2DE3F3B6
Malicious:	false
Reputation:	unknown
URL:	https://unpkg.com/petite-vue@0.4.1/dist/petite-vue.iife.js
Preview:	var pn=Object.defineProperty,hn=(e,t,n)=>t in e?pn(e,t,{enumerable:!0,configurable:!0,writable:!0,value:n}):e[t]=n,C=(e,t,n)=>(hn(e,"symbol"!=typeof t?t+"":t,n),n),PetiteVue=function(e){"use strict";function t(e){if(a(e)){const n={};for(let s=0;s<e.length;s++){const i=e[s],o=d(i)?r(i):t(i);if(o)for(const e in o)n[e]=o[e]}return n}return d(e)\|\|g(e)?e:void 0}const n=/;(?![^(]*\))/g,s=/:(.+)/;function r(e){const t={};return e.split(n).forEach((e=>{if(e){const n=e.split(s);n.length>1&&(t[n[0].trim()]=n[1].trim())}})),t}function i(e){let t="";if(d(e))t=e;else if(a(e))for(let n=0;n<e.length;n++){const s=i(e[n]);s&&(t+=s+" ")}else if(g(e))for(const n in e)e[n]&&(t+=n+" ");return t.trim()}function o(e,t){if(e===t)return!0;let n=h(e),s=h(t);if(n\|\|s)return!(!n\|\|!s)&&e.getTime()===t.getTime();if(n=a(e),s=a(t),n\|\|s)return!(!n\|\|!s)&&function(e,t){if(e.length!==t.length)return!1;let n=!0;for(let s=0;n&&s<e.length;s++)n=o(e[s],t[s]);return n}(e,t);if(n=g(e),s=g(t),n\|\|s){if(!n\|\|!s)return!1;if(Object.k

Chrome Cache Entry: 61

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (398)
Category:	downloaded
Size (bytes):	452
Entropy (8bit):	5.787237369982687
Encrypted:	false
SSDEEP:
MD5:	0CC63B1E9594CB742C10C41002B6C9C2
SHA1:	0DB50D1F5A75C26C06ADD92A20E7B942F6DF74D2
SHA-256:	43AE2B3B623B53D5CE12C5F99DCE3BCD56EA24A47B2877FAC190D451E38FC19C
SHA-512:	E965ACF21654305F4C0F303F94E4481A0F1A10F0CE04684C68755965F90024A381F8DF2954140A8C0C5AD344C968BD4E884178D0ED12731126E686EA1B736671
Malicious:	false
Reputation:	unknown
URL:	https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214
Preview:	<html>. <head>. <script>window.location.href = 'https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09';</script>. </head>. <body>. </body>.</html>.

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	51364
Entropy (8bit):	4.630626843010533
Encrypted:	false
SSDEEP:
MD5:	BF2F96E6233DE3D8C0346085AC28248A
SHA1:	4DB267704D7E3FB2489CF96E82862A2245CD9311
SHA-256:	EE94DDA0AF1FC5C5045741B39E54136015365EEDCA34095F1D3C666998BB442D
SHA-512:	D4DB54380D135D9F5AAA03727CC88037B014C1057A3061C3D173EB8D4CEC7E4A2F71CFCA1478E8E15C093D510EEE80668C2038691EAEB21958942089F0DD9C6C
Malicious:	false
Reputation:	unknown
URL:	https://training.knowbe4.com/assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js
Preview:	/!. Modernizr v2.7.1. * www.modernizr.com. . Copyright (c) Faruk Ates, Paul Irish, Alex Sexton. * Available under the BSD and MIT licenses: www.modernizr.com/license/. /../. * Modernizr tests which native CSS3 and HTML5 features are available in. * the current UA and makes the results available to you in two ways:. * as properties on a global Modernizr object, and as classes on the. * <html> element. This information allows you to progressively enhance. * your pages with a granular level of control over the experience.. . Modernizr has an optional (not included) conditional resource loader. * called Modernizr.load(), based on Yepnope.js (yepnopejs.com).. * To get a build that includes Modernizr.load(), as well as choosing. * which tests to include, go to www.modernizr.com/download/. . Authors Faruk Ates, Paul Irish, Alex Sexton. * Contributors Ryan Seddon, Ben Alman. */..window.Modernizr = (function( window, document, undefined ) {.. var version = '2.7.1',..

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	3205083
Entropy (8bit):	5.067660187114562
Encrypted:	false
SSDEEP:
MD5:	F1232635B40CBFAE664CA09BA03FC9C3
SHA1:	C70240DA2684DB0184AB4C123B7F686035A8FB93
SHA-256:	55644838E3E24BB2ED95B03654F6BC0AB4B5725F73BD9E6656C50AB8441194FF
SHA-512:	FB466E90765EB7D07AD12D8FFF42926F9C86CE41EDFB36254B1EE180221B5429624B711389F0143AA0716DEB113DB1BE9954E9A4FAF49151A6C19867512BB064
Malicious:	false
Reputation:	unknown
URL:	https://training.knowbe4.com/assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js
Preview:	/!. jQuery JavaScript Library v1.12.4. * http://jquery.com/. . Includes Sizzle.js. * http://sizzlejs.com/. . Copyright jQuery Foundation and other contributors. * Released under the MIT license. * http://jquery.org/license. . Date: 2016-05-20T17:17Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper `window`...// is present, execute the factory and get jQuery....// For environments that do not have a `window` with a `document`...// (such as Node.js), expose a factory as module.exports....// This accentuates the need for the creation of a real `window`....// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info....module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.....return factory( w );....};..

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (382)
Category:	downloaded
Size (bytes):	75074
Entropy (8bit):	6.138406589178574
Encrypted:	false
SSDEEP:
MD5:	D8798AAE777F6C93C53155F081A8C8EA
SHA1:	81B8A61366B8F08C3D3A8A2E1CFE499CEC5521B8
SHA-256:	69FEB31D20F8340079383EB02BD89606E55D53476E2C1A9D70646E3A19FE4A25
SHA-512:	495DAB5208A42596D39852997A20433395648AE68D384EE13AB648D5EBF8C936B2E903F19CA8918E6E70D8DEEF1D036AC6962EA5C58B696A5D7F07146E274239
Malicious:	false
Reputation:	unknown
URL:	https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">. <meta name="IMPORTANT" content="This page is part of a simulated phishing attack initiated by KnowBe4 on behalf of its customers." />. <meta name="IMPORTANT" content="If you have any questions please contact support@knowbe4.com." />. <meta content="IE=edge,chrome=1" http-equiv="X-UA-Compatible"/>. <meta name="robots" content="noindex, nofollow" />.. <head>. <script src="/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js"></script>.. <link rel="stylesheet" href="/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css" media="all" />.. </head>. .......<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1.0">... Stylesheet for default styles -->...<link rel="stylesheet" href="https://helpimg

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	1471
Entropy (8bit):	4.754611179426391
Encrypted:	false
SSDEEP:
MD5:	15E89F9684B18EC43EE51F8D62A787C3
SHA1:	9CBAAACEAE96845ECD3497F41EE3B02588ABEC11
SHA-256:	16F13E16A7EF02FB6F94250AA1931DED83DBEE5D9FAD278E33DD5792D085194F
SHA-512:	79E0110A045F28437D192290AC9789270CB0D4E676A985564746DB439992D867BA89639D7738E2A7F7D83BBF37D9A02CAA2AE1DC4E0EE2519797E5840A47FABE
Malicious:	false
Reputation:	unknown
URL:	https://secured-login.net/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css
Preview:	/* line 1, app/assets/stylesheets/landing-watermark.scss /..watermark {. -webkit-writing-mode: vertical-rl;. -ms-writing-mode: tb-rl;. writing-mode: vertical-rl;. text-orientation: sideways;.}../ line 4, app/assets/stylesheets/landing-watermark.scss /..watermark.left {. left: 0;.}../ line 7, app/assets/stylesheets/landing-watermark.scss /..watermark.right {. right: 0;.}../ line 10, app/assets/stylesheets/landing-watermark.scss /..watermark.top {. text-align: center;. -webkit-writing-mode: horizontal-tb;. -ms-writing-mode: lr-tb;. writing-mode: horizontal-tb;. top: -38px;.}../ line 15, app/assets/stylesheets/landing-watermark.scss /..watermark h1 {. -webkit-user-select: none;. -moz-user-select: none;. -ms-user-select: none;. user-select: none;. font-size: 15px;. color: #fdfdfa;. font-weight: bold;.}../ line 24, app/assets/stylesheets/landing-watermark.scss /.#template_sei .watermark.left {. margin-left: -10px;.}../ li

Static File Info

⊘No static file info

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Static File Info